Chairman Leno, Vice Chair La Suer, and Members of the Committee, thank
you for the opportunity to testify on the privacy of telephone records.
My name is Chris Hoofnagle and I am Director of the Electronic Privacy Information
Center's West Coast Office in San Francisco. EPIC is a not-for-profit research
center established to focus public attention on emerging civil liberties
issues and to protect privacy, the First Amendment, and constitutional values.
We have played a leading role in emerging communications privacy issues
since our founding in 1994.

In this statement today, I will summarize EPIC's efforts to bring public
attention to the problems of pretexting and discuss how SB 202 would protect
a broad range of communications records from sale. In investigating this
issue, I encourage Members and Staffpersons to review the testimony in hearings
held in the US Senate and House on this issue.[1]

EPIC's Efforts to Address Pretexting and Phone Record Sales

In July 2005, EPIC filed a complaint with the Federal Trade Commission
concerning a website that offered phone records and the identities of P.O.
Box owners for a fee through pretexting. Pretexting is a practice where
an individual impersonates another person, employs false pretenses, or otherwise
uses trickery to obtain records.

The owners of the California-based business operating the website responded
to our complaint, claiming that they knew of no law that prohibited them
from selling phone records!

EPIC supplemented the July filing in August with a list of 40 websites
that offered to sell phone records to anyone online. In light of the fact
that so many companies were selling communication records online, EPIC also
petitioned the Federal Communications Commission, urging the agency to require
enhanced security precautions for phone companies’ customer records.[2]
Although telephone carriers unanimously opposed enhanced security requirements,
proposing that lawsuits against pretexters would solve the problem, the
FCC unanimously granted the petition and is seeking comments on enhanced
security standards for phone records.

Most recently, EPIC wrote to the American Bar Association and 50 states'
bar ethics committees to explain that attorneys are hiring investigators
and online data brokers to pretext. EPIC argued that it is unethical for
attorneys to employ these practices, and urged the state authorities to
advise attorneys not to buy pretexting services.

We continue to believe that legislative action is needed at the federal
and state level to protect this information. Phone records can be used
by individuals to stalk and harass other people. They can be used for corporate
espionage purposes. While some claim that pretexting is a legitimate research
tool, that argument is mere sophistry. Those who have a legitimate need
for phone records can obtain a court order in order to access the information.
Pretexting is simply an end-run around existing legal access provisions
for people who probably do not have a legitimate reason to obtain calling
data.

Finally, pretexting is used against many different companies. Pretexters
target Post Offices in order to learn who uses Postal Boxes and Private
Mail Boxes, they target users of automobile navigation systems (such as
GM's OnStar service) in order to locate individuals' cars, they pretext
utilities companies to locate people, they target employers to learn facts
about employees, and they even target family members to locate subjects
of investigation. Some websites, such as Abika.com, advertise their ability
to obtain the real identities of people who participate in online dating
websites. A page on Abika.com advertises the company's ability to perform
"Reverse Search AOL ScreenName" services, a search that finds
the "Name of person associated with the AOL ScreenName" and the
"option for address and phone number associated with the AOL ScreenName."
[3] The same page offers
name, address, and phone number information for individuals on Match.com,
Kiss.com, Lavalife, and Friendfinder.com. These are all dating websites
that offer individuals the opportunity to meet others without immediately
revealing who they are.

An archive of EPIC's efforts is available online at http://epic.org/privacy/iei/

SB 202 Will End the Sale of Many Communications Records

Senator Simitian continued his outstanding track record on privacy by introducing
the amended SB 202 shortly after EPIC filed its original phone records complaint.
Reacting to the claims of data brokers that it was legal to sell phone records,
SB 202 makes it clearly illegal to purchase, sell, offer to sell, or conspire
to sell any telephonic calling record.

Telephone record is defined broadly so as to capture pretexters who are
targeting next-generation communications devices, such as "Voice over
Internet Protocol" Telephony (which is widely used by corporations
and governments). Cordless and wireless phones are covered too.

SB 202 contains an exception allowing the sale of phone records where both
the caller and recipient consent. This provision is consistent with California's
heightened telephone privacy laws, which require consent of all parties
to a conversation before it can be taped.

The provisions are backed by serious penalties--up to $2500 in fines and
up to a year in prison. Repeat offenders are subject to a $10,000 fine
and jail time.

SB 202 Is Necessary to Supplement Carrier Enforcement Actions

Telephone carriers have brought lawsuits against pretexters in order to
legally shield their systems and customer records from the practice. While
we support these enforcement efforts, we do not believe they will adequately
secure phone records for two reasons:

First, there is mounting evidence that pretexters will simply rename their
products or start offering them "underground." In an email responding
to EPIC's initial complaint, the Editor of PI Magazine wrote to readers:

[…]

I recommend that you read my interview with the FTC and the specific comments
about telephone records at www.pimagazine.com/ftc_article.htm The
FTC wasn't too concerned about telephone information, but if PI's are
going to blatantly advertise tolls directly to the public as a commodity,
the FTC will get involved and we are going to lose that commodity and
our ability to solve many cases because of it.

PI's need to STOP promoting the selling toll records directly to the public
as a commodity. Rather, use it as an investigative tool used in the course
of your investigation to lead you to a missing person or to the lead you
need to solve the case. I also suggest that PI's promote such services
as "telephone research" as compared to coming right out and
mentioning tolls, non-pubs, etc.

Indeed, since we filed the original complaint, many websites have removed
their advertisements for phone records. We believe that these services are
still operating by selling data to callers seeking the service or to people
who contact the companies through email. By going underground, it is unlikely
that carriers will identify and bring suits against wrongdoers.

Second, when a carrier brings an enforcement action and obtains an injunction,
the injunction only applies to that carrier. As a result, some companies
that have been sued simply stop selling records pertaining to a single carrier.
In the case illustrated below, Datatrace USA still offers records of Verizon,
Sprint, Nextel, T-Mobile, US Cellular, and MetroPCS.

Because enforcement actions are carrier-specific, they alone cannot solve
the problem of our phone records being subject to pretexting. We therefore
believe that pretexting these records should be prohibited explicitly so
that all carriers are covered by specific legislation.

We believe the SB 202 will go far in ending the sale of phone records.
Please feel free to contact EPIC if we can provide the Committee any further
information.

[1] Protecting Consumers’ Phone Records, Hearing Before
the US Senate Consumer Affairs, Product Safety, and Insurance Hearing,
Wed, Feb. 8 2006, available online at http://commerce.senate.gov/hearings/witnesslist.cfm?id=1742;
Phone Records For Sale: Why Aren't Phone Records Safe From Pretexting?,
Hearing Before the US House Committee on Energy and Commerce, Feb. 1,
2006, available online at http://energycommerce.house.gov/108/Hearings/02012006hearing1763/hearing.htm

[2] Petition of EPIC for Enhanced Security and Authentication
Standards, In re Implementation of the Telecommunications Act of 1996,
CC Docket No. 96-115, available at http://www.epic.org/privacy/iei/cpnipet.html.

[3] See http://www.abika.com/Reports/tracepeople.htm#Search%20Address/Phone%20Number%20associated%20with%20email%20Address%20or%20Instant%20Messenger%20Name.

[4] This screenshot of http://datatraceusa.com/products.asp
was taken March 6, 2006.